Re-use refresh token instead of starting new authorization code flow

[ZIRAKrezovic]

What feature do you want to see added?

Refresh token support was recently added to oic-auth-plugin and it works as expected for calls with API tokens.

However, even when offline token is available, client will get redirected to OIDC login page when Jenkins session expires, ending up in several offline tokens for a single user in the SSO, wasting storage and generating warnings from IT departments.

doCommenceLogin should be improved to check for an existing token, possibly in collaboration with RememberMeServices to securely identify the user and re-use the offline token, before redirecting to sign in page.

Upstream changes

No response

Are you interested in contributing this feature?

No response

[jtnord]

doCommenceLogin should be improved to check for an existing token

when doCommenceLogin is called there is no session (its expired), so there is no authentication context to obtain a user, to obtain the refresh token for them.

So as such this request appears invalid.

The session could possibly be extended so long as the refresh token is valid and the token can be refreshed. https://jakarta.ee/specifications/servlet/6.1/apidocs/jakarta.servlet/jakarta/servlet/http/httpsessionlistener#sessionDestroyed(jakarta.servlet.http.HttpSessionEvent) is called when a session is about to be invalidated, but there is no API that I am aware of to veto the invalidation, or extend it, and other listeners may have performed some cleanup in reaction to the event before we get to handle it.

[ZIRAKrezovic]

As far as I'm aware, there is something called RememberMeServices that may be used in this regard. We will need to check that.